[
https://issues.apache.org/jira/browse/SOLR-15355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17431373#comment-17431373
]
David Smiley commented on SOLR-15355:
-------------------------------------
Thanks for your sharing your thoughts on the matter.
For this experiment, we used your repo and thus the specific AWS Java SDK as
listed there (375) didn't change. I checked just now with the latest (1.12.90)
and same failing result. We changed the version of hadoop-aws jar on the
adjacent line to 3.2.2 to align with the upgraded Hadoop dependency in the base
image. This was necessary since some internal APIs changed. And because we
tested with your repo, it's not talking to S3 but Minio with the same version
tested between runs.
{quote}There are a bunch of changes between 3.2.0 and 3.2.2:
{quote}
Apparently more than 250 from to 3.2.1 and more than 250 from there to 3.2.2
(as I play with the GitHub pickers). Tons to review. :-/. I may try 3.3 in a
quick/hack way to see if it addresses the issue before wasting time there.
> CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2
> --------------------------------------------------
>
> Key: SOLR-15355
> URL: https://issues.apache.org/jira/browse/SOLR-15355
> Project: Solr
> Issue Type: Bug
> Components: hdfs, security
> Affects Versions: 8.6, 8.6.2
> Reporter: Nazerke Seidan
> Priority: Major
> Fix For: 8.10
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> CVE-2020-9492 vuln. issue is found in 8x component
> maven:org.apache.hadoop:hadoop-hdfs-client (version3.2.0) It seems with the
> version 3.2.0 hdfs client might send authorization header to remote url
> without verification.
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492])
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
